This release focuses on bug fixes for malformed and off-spec feeds. Illegal XML control characters, unusual date formats, incorrectly typed JSON Feed fields, and unescaped ampersands in URLs could previously break a parse or silently drop content. The parser now handles these cases without failing the feed or losing the affected content.
It also fixes a lazy-initialization data race when a default-configured Parser is reused across goroutines (#278). Three new options give callers more control over resource use: an HTTP response-size limit, optional retention of the original source feed, and a switch to disable RSS content-image scanning.
For RSS and Atom, the universal Parser.Parse method no longer holds two complete copies of the raw feed in memory during format detection. It examines the first 4 KiB, detects the format, and then parses directly from the reader. The returned Feed is still fully materialized, so this is not a streaming API. JSON Feed decoding still buffers the complete document.
Compatibility
- Go 1.25 or newer is required. v1.4.0 updates
golang.org/x/netfrom v0.4.0 to v0.56.0 to resolve 22 reachable vulnerabilities reported bygovulncheck; that release and itsgolang.org/x/textdependency require Go 1.25. ParseURLnow applies a 30-second request timeout.ParseURLWithContextcontinues to use the caller's context.Parsenow examines only the first 4 KiB to detect the feed type. RSS and Atom roots must begin within that window. In v1.4.0, a JSON Feed whose complete document does not fit within the window is not detected by the universalParserand returnsErrFeedTypeNotDetected.- The text returned by
ErrFeedTypeNotDetected.Error()now begins with lowercasefailed. - No exported v1 identifier was removed.
Feednow has private storage for the original source feed, so external positionalFeed{...}literals no longer compile; keyed literals are unaffected.
Added
- Add
Parser.MaxByteSizeandErrResponseTooLargeto limit response bodies fetched byParseURLandParseURLWithContext. (#286) - Add
Parser.KeepOriginalFeedandFeed.OriginalFeed()for access to the parsed*rss.Feed,*atom.Feed, or*json.Feed. (#289) - Add
DefaultRSSTranslator.DisableContentImageScanto skip the HTML image fallback on large feeds while preserving existing behavior by default. (#330)
Parsing and translation fixes
- Fix a data race when the same default-configured
Parseris reused across goroutines. (#278) - Limit universal-parser format detection to a 4 KiB lookahead, parse RSS and Atom directly from the reader without retaining two complete raw copies, and propagate reader I/O errors. (#327)
- Preserve parse errors when closing an HTTP response also returns an error.
- Tolerate non-HTTP URI schemes and resolve RSS and Atom
xml:basevalues without mutating sibling scope. (#240, #283, #290) - Resolve every URI-bearing HTML attribute, including elements with multiple URI attributes. (#323)
- Preserve ordinary Atom content that merely looks like base64 and trim whitespace-prefixed Atom links. (#238, #283)
- Promote embedded Atom author, date, content, summary, and category elements from RSS into universal fields. (#292)
- Correct RSS
guidisPermaLinkhandling and replace the invaliditunes:subtitlefeed-link fallback withatom:link. (#283, #322) - Handle illegal C0 XML controls, mixed CDATA content, namespace whitespace,
<cloud>children, and non-content<encoded>elements without losing the feed. (#284, #295, #317, #318, #325) - Continue entity decoding after bare ampersands without corrupting query parameters that resemble legacy HTML entities. (#319, #321)
- Correct named timezone offsets and additional date layouts. (#234, #282, #324)
- Tolerate off-spec JSON Feed IDs, booleans, attachment sizes, and durations; use attachment byte size for
Enclosure.Length; and reject out-of-range numeric sizes safely. (#279, #326) - Prevent sorting panics when items have nil parsed publication dates.
Dependencies and maintenance
- Replace
jsoniterwithencoding/json. (#280) - Migrate to
github.com/mmcdole/goxpp/v2v2.0.0. (#329) - Replace
goqueryandcascadiawith directx/net/htmltraversal. (#330) - Upgrade
golang.org/x/netandgolang.org/x/textfor security, and upgradetestifyandurfave/cli. - Expand regression fixtures and consolidate parser and translator control flow. (#332, #333)
- Add contributor guidance and test-fixture conventions. (#331)
- Modernize GitHub Actions with stable/oldstable builds, race-enabled shuffled tests, Staticcheck, govulncheck, Codecov, and Dependabot; remove the defunct Travis configuration. (#297, #335)
Contributors
Contributions in this release came from @mmcdole, @TypicalAM, @oprudkyi, and @akfaew.
Full changelog: v1.3.0...v1.4.0